CVE-2025-36026
📋 TL;DR
IBM Datacap versions 9.1.7-9.1.9 fail to set the Secure attribute on authorization tokens and session cookies, allowing attackers to intercept these cookies via HTTP links. This affects all users of vulnerable Datacap deployments, potentially exposing session credentials.
💻 Affected Systems
- IBM Datacap
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal valid session cookies, gaining unauthorized access to Datacap applications and sensitive document processing data.
Likely Case
Session hijacking leading to unauthorized access to document processing workflows and data exfiltration.
If Mitigated
Limited impact if HTTPS-only access is enforced and network segmentation prevents cookie interception.
🎯 Exploit Status
Exploitation requires tricking users into clicking HTTP links or intercepting network traffic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply IBM Datacap fix as per vendor advisory
Vendor Advisory: https://www.ibm.com/support/pages/node/7238443
Restart Required: Yes
Instructions:
1. Review IBM advisory for specific fix details
2. Apply recommended fix from IBM
3. Restart Datacap services
4. Verify Secure attribute is set on cookies
🔧 Temporary Workarounds
Enforce HTTPS-only access
allConfigure web server to redirect all HTTP traffic to HTTPS and set HSTS headers
# Apache: Redirect HTTP to HTTPS in config
# Nginx: server { listen 80; return 301 https://$host$request_uri; }
Configure cookie security headers
allManually set Secure and HttpOnly flags on session cookies via application configuration
# Application-specific configuration required
🧯 If You Can't Patch
- Enforce HTTPS-only access with HSTS headers
- Implement network segmentation to prevent cookie interception
- Monitor for suspicious authentication patterns
🔍 How to Verify
Check if Vulnerable:
Inspect browser developer tools or use curl to check if session cookies lack Secure attribute when accessed via HTTPCheck Version:
Check Datacap version via administrative interface or configuration filesVerify Fix Applied:
Verify cookies have Secure attribute set and cannot be sent over HTTP connections📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful login from new IP
- Session cookies transmitted over HTTP in logs
Network Indicators:
- HTTP traffic containing session cookies
- Unencrypted authentication traffic
SIEM Query:
search source="web_logs" http_method=GET AND uri CONTAINS "/datacap" AND cookie_header EXISTS